Feature Request: Support for apt Packages in SBOM Generation
Background Currently, GitLab’s SBOM tool does not support the apt package manager, which is essential for projects using Debian and Ubuntu systems. This limitation significantly hinders our ability to generate comprehensive bills of materials that include all dependencies.
Proposal We propose the addition of support for apt packages in GitLab's SBOM generation tool. This feature should allow for the automatic inclusion of all apt package metadata within the SBOM files generated in GitLab CI/CD pipelines.
Justification Our Workflow: Our organization uses GitLab for CI/CD in conjunction with a large number of Debian-based containers. Our applications rely heavily on packages installed via apt, and the ability to generate an SBOM that includes these packages is crucial for maintaining security compliance and managing dependencies effectively.
Impact of Lack: Without this feature, we are forced to manually track these dependencies, which is error-prone and time-consuming. This manual process increases the risk of oversight and makes it difficult to quickly address security vulnerabilities in the dependency chain.
Benefits Broader Applicability:
Enabling apt support in SBOM would not only benefit our organization but also many others that use Debian or Ubuntu-based environments, making GitLab a more versatile and appealing choice for organizations concerned with security and compliance.
Alignment with Industry Standards: Supporting a broader range of package managers, including apt, would ensure that GitLab remains competitive and compliant with industry standards in software composition analysis and vulnerability tracking.
Examples Current Workarounds: Currently, we manually document the apt dependencies, which not only diverts resources from development but also introduces potential for human error in our security processes.
Comparison: Other CI/CD platforms like Jenkins have plugins available that support the inclusion of apt packages in generated SBOMs, providing them with a more holistic security and compliance toolkit.
Call to Action I encourage the product manager and community to provide feedback on this proposal. Your insights are invaluable to refine this idea further and ensure it meets the needs of all stakeholders involved.